New TDS attempted malware delivery to 600,000 users

Tuesday, 12 April, 2022

New TDS attempted malware delivery to 600,000 users

Threat researchers at digital security and privacy company Avast have discovered a new malicious Traffic Direction System (TDS) — Parrot TDS — that has infected web servers hosting more than 16,500 websites. Affected sites include university and local government sites, as well as personal websites and providers of adult content.

Website appearances are altered to show a phishing page claiming the user needs to update their browser. When a user runs the browser update file offered, a Remote Access Tool (RAT) is downloaded, giving attackers full access to victims’ computers.

“Traffic Direction Systems serve as a gateway for the delivery of various malicious campaigns via the infected sites,” said Jan Rubin, malware researcher at Avast.

“At the moment, a malicious campaign called ‘FakeUpdate’ (also known as SocGholish) is being distributed via Parrot TDS, but other malicious activity could be performed in the future via the TDS.”

Weak credentials give Parrot TDS wide reach

Rubin and fellow researcher Pavel Novak believe attackers are exploiting web servers of poorly secured content management systems, like WordPress and Joomla sites, by logging into accounts with weak credentials to gain admin access to the servers.

“The only thing the sites have in common is that they are WordPress and in some cases Joomla sites. We therefore suspect weak login credentials were taken advantage of to infect the sites with malicious code,” said Novak, ThreatOps Analyst at Avast.

“The robustness of Parrot TDS and its huge reach make it unique.”

Parrot TDS allows attackers to set parameters to only display phishing pages to potential victims who meet certain conditions, which look at users’ browser type, cookies and which website they came from. These parameters are set so that each user is only shown a phishing page once, to prevent Parrot TDS’s servers from overloading.

From 1 to 29 March 2022, Avast protected more than 600,000 unique users from around the globe visiting sites infected with Parrot TDS, with 10% of users (6000) in this timeframe based in Australia.

FakeUpdate campaign

The malicious FakeUpdate campaign uses JavaScript to change site appearances to display phishing messages claiming the user needs to update their browser.

Like Parrot TDS, FakeUpdate also performs a preliminary scan to collect information about the site visitor before displaying the phishing message. This is an act of defence to determine whether or not to display the phishing message — among other things, the scan checks which antivirus product is on the device. The file being offered as an update file is really a remote access tool called NetSupport Manager.

The bad actors behind the campaign have configured the tool in such a way that the user has very little chance of noticing it. If the file is run by the victim, the attackers gain full access to their computer. The cybercriminals behind the FakeUpdate campaign can change the payload delivered to victims at any time.

In addition to the FakeUpdate campaign, Avast researchers observed other phishing sites being hosted on the Parrot TDS infected sites, but cannot conclusively tie these to Parrot TDS.

How developers can protect their servers

  • Scan all files on the web server with an antivirus program, like Avast Antivirus.
  • Replace all JavaScript and PHP files on the web server with original files.
  • Use the latest CMS version.
  • Use the latest versions of installed plugins.
  • Check for automatically running tasks on the web server (for example, cron jobs).
  • Check and set up secure credentials, and use unique credentials for every service.
  • Check administrator accounts on the server, making sure each of them belongs to developers and have strong passwords.
  • When applicable, set up 2FA for all the web server admin accounts.
  • Use available security plugins (WordPress, Joomla).

How site visitors can avoid falling victim to phishing

  • If the site being visited appears different than expected, site visitors should leave the site and not download any files or enter any information.
  • Only download updates directly from browser settings, never via any other channels.

The full analysis can be found on the Decoded blog:

Image credit: ©

Related News

Phishing attacks surge 450% as attackers exploit SEO

Phishing attacks have surged 450% in the last year as attackers become increasingly adept at...

White paper uncovers occupational fraud risk

ANZ organisations face an increased risk of occupational fraud due to the combined factors of the...

Google, Apple, Microsoft commit to extending FIDO support

Apple, Microsoft and Google have all committed to offering extended support to the FIDO...

  • All content Copyright © 2022 Westwick-Farrow Pty Ltd